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Abstract 

This note proposes a method of space efficient secret sharing in which 
k secrets are mapped into n shares (n > k) of the same size. Since, n can 
be chosen to be equal to k, the method is space efficient. This method 
may be compared with conventional secret sharing schemes that divide a 
single secret into n shares. 

1 Introduction 

A fc-out-of-n secret sharing scheme conventionally encodes a single secret s in n 
shares such that any k of them can be used to reconstruct the secret (Shamir's 
scheme [I]). However, Shamir's scheme is not space efficient because it leads to 
a n- fold increase in total storage requirement. Some efforts have been made to 
create space efficient schemes [6] under certain restrictions, but most other 
techniques achieve this in the general case by compromising security constraints 
and adopting a computational security model [21 USE], which is weaker compared 
to that of Shamir's scheme. 

We present an algorithm to split k secrets of length b each into n shares such 
that each share is effectively of size (n/k) ■ b. Since, n/k can be chosen to be 
close to 1, our algorithm is space efficient. 

Our proposed scheme is based on interpolation just like Shamir's scheme, 
but unlike Shamir we use the k secrets to obtain a polynomial and then create 
n shares by finding the values of the polynomial at n new points. Without 
knowledge of at least k of these shares, equal to the number of coefficients 
associated with the polynomial, the original secrets, defined for pre- fixed points 
of the variable, cannot be found. 



2 Space efficient secret sharing 

The proposed algorithm is as follows. Consider that k secrets sq, s\, Sfe-i 
are numbers from the finite field Z p , where p is prime. 
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Algorithm A 

1. Map k secrets as k distinct points P, — (i, s,), < i < (k — 1). 

2. Generate polynomial /(x) = a + aix + a 2 x 2 + ... + a,k-ix k ~ 1 of degree 
(k — 1) by interpolating points Pi, < i < (k — 1). 

3. Sample the polynomial f(x) at n distinct points Di = f(i + k — 1), where 
1 < i < n. 

4. The shares are then given by (fc, Di), (k + 1, D2), (/c + n — 1, D n ). 

Reconstruction of the secrets involves first interpolating any k shares to 
recreate f(x) and then evaluating it to reveal the secrets Si = f(i), < i < 
(k — 1). All the computations are performed modulo a prime p > (s maxi n), 
Smax = max(si), < i < (k — 1). 

Reconstruction of the secrets in Algorithm A can be viewed as solution to 
a set of linear equations A ■ v — F, where A is a k x k Vandermonde matrix 
[7] (generated using the x-coordinates of any k shares), v is a k x 1 vector 
of unknowns (polynomial coefficients a^s) and F is the k x 1 vector of the 
y-coordinates of the shares. Without loss of generality, assume we have k — 1 
shares (k,Di), (k + l,D 2 ), (2k~2, Dk-i). We can explicitly write the system 
of equations as follows, 
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Clearly to find the value of a^s one would need to invert the Vandermonde 
matrix (find A -1 ) and also know the values of Di, 1 < i < k — 1. Further, since 
we have distributed the secrets among the coefficients of the polynomials, one 
needs to reconstruct the coefficients a«, < i < (k — 1), in order to obtain any 
and all of the secrets. 

Figure 1 illustrates that p polynomials remain equally probable if we have 
the knowledge of only 3 shares (out of 4 required) shares (points). 
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Figure 1: (a) x: Four secrets; o: Four shares, (b) Three shares, one fewer than 
the required number, are known, but they leave p polynomials equally likely. 
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Example. Let Sq = 10, S\ = 23, s 2 = 16, and S3 = 25 be four secrets that are 
to be shared between 6 players such that any 4 of them can reconstruct all the 
4 secrets, i.e. n = 6 and k = 4. Let p = 31. We apply Algorithm 2 as follows, 

1. Map the 4 secrets as 4 distinct points Pi = (0,10), P 2 = (1,23), P 3 = 
(2,16), and P 4 = (3,25). 

2. Generate a polynomial /(x) by interpolating points Pi, P2, P3, and P4 as 
follows, 



/ ( x) =j> n T=t {mod?A) 



1n (x-l)(x-2)(x-3) . p 9 (x-0)(x-2)(x-3) 
iU ' (0-l)(0-2)(0-3) + ZO ' (l-0)(l-2)(l-3) 

(x-0)(x-l)(x-3) 9t - (x-OKg-lKx-^ 
+ 10 (2-0)(2-l)(2-3) + 20 (3-0)(3-l)(3-2) 

(19x 3 - 21.T 2 + 23x - 21) + (27a; 3 - llx + 7x) 

+ (23x 3 - 30x 2 + 7x) + (30x 3 - 28x 2 + 29x) 
6x 3 + 3x 2 + Ax - 21 (mod 31) 



3. Sample /(x) at 6 distinct points D x = /(4) = 24, D 2 = /(5) = 18, 
D 3 = /(6) = 12, D 4 = f(7) = 11, D 5 = /(8) - 20, and P 6 - /(9) - 13. 

4. The shares are given by (4,24), (5,18), (6,12), (7,11), (8,20), and (9,13). 

This completes the construction of the shares by the algorithm. 

The reconstruction phase uses any four shares from step 4 above and inter- 
polates them to compute f(x). Then sampling /(x) at points x=0, 1, 2 and 3 
would reveal sq, si, S2, and S3 respectively. 

If an adversary or colluding players determine three shares out of the re- 
quired four shares in the above example, only a quadratic polynomial can be 
reconstructed leaving 31 possibilities for the fourth share equally likely. Each 
of these 31 possibilities give rise to 31 unique cubic polynomials. Only one of 
these 31 polynomials will pass through all the secrets. Hence the probability of 
computing the secrets even after the knowledge of k — 1 = 3 shares is ^ = 

In practice, the primes chosen are very large (on the order of 1024 bits). Since 
the secrets can be random numbers from the field, the knowledge of k — 1 shares 
leaves p possibilities for the last share, which can only be guessed correctly with 
a small probability on the order of ^rrar • Consequently, knowledge of only k — 2 
shares reduces the probability to (jttot) 2 , and so on in general if t shares are 
known then the secret can be guessed with a small probability of ( 2 uyu ) k ~ t ■ 

This level of security may be sufficient in many applications, such as the 
sensor networks where at any given time only a few sensor may be compromised. 
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A variant of Algorithm A is the case where the interpolating points are ran- 
domly chosen with the constraint that they don't overlap with the x-coordinatcs 
of the shares. 

3 Conclusions 

We have presented a space efficient secret sharing scheme. The proposed method 
can also be used to encode a large secret, by dividing the secret into smaller 
pieces that are shared between several parties. Further it may be used for secure 
transmission of data over parallel communication channels or secure online data 
storage, providing efficiency higher than the method of Garay et al. [5]. 
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